Skip to content

Instantly share code, notes, and snippets.

View xtremebeing's full-sized avatar

Tony Carter xtremebeing

5 followers · 65 following
View GitHub Profile
@xtremebeing
xtremebeing / research.md
Created January 21, 2025 17:02 — forked from hackermondev/research.md
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

@xtremebeing
xtremebeing / WAHH_Task_Checklist.md
Created February 12, 2021 01:27 — forked from amotmot/WAHH_Task_Checklist.md
The Web Application Hacker's Handbook - Task Checklist - Github-Flavored Markdown
@xtremebeing
xtremebeing / WAHH_Task_Checklist.md
Created September 5, 2020 20:39 — forked from jhaddix/Testing_Checklist.md
The Web Application Hacker's Handbook - Task Checklist - Github-Flavored Markdown
@xtremebeing
xtremebeing / cloud_metadata.txt
Created June 15, 2020 15:54 — forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## IPv6 Tests
http://[::ffff:169.254.169.254]
http://[0:0:0:0:0:ffff:169.254.169.254]
## AWS
# Amazon Web Services (No Header Required)
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
@xtremebeing
xtremebeing / bloom.py
Created June 11, 2020 22:03 — forked from JohnTroony/bloom.py
Simple Bloom filter implementation in Python 3 (for use with the HIBP password list)
#!/usr/bin/python3
#
# Simple Bloom filter implementation in Python 3
# Copyright 2017 Hector Martin "marcan" <[email protected]>
# Licensed under the terms of the MIT license
#
# Written to be used with the Have I been pwned? password list:
# https://haveibeenpwned.com/passwords
#
# Download the pre-computed filter here (629MB, k=11, false positive p=0.0005):
@xtremebeing
xtremebeing / OpSec
Created June 11, 2020 22:02 — forked from JohnTroony/OpSec
Guide for proper Opsec and comsec for the paranoid.
# OPS Info
## Info:
* Google Custom Alerts: http://google.com/alerts/
* Google Reverse Image search instructions: https://support.google.com/websearch/answer/1325808?hl=en
## Antitheft Apps :
* Lookout: https://www.lookout.com/